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One PIA may be prepared to cover multiple websites or applications that are functionally 
comparable as long as agency or bureau practices are substantially similar across each website 
or application. However, any use of a third-party website or application that raises distinct 
privacy risks requires a complete PIA exclusive to the specific website or application. 
Department-wide PIAs must be elevated to the OCIO for review and approval. 


SECTION 1: Specific Purpose of the Agency’s Use of the Third-Party Website or 
Application 


gal What is the specific purpose of the agency’s use of the third-party website or 
application and how does that use fit with the agency’s broader mission? 


Google+ is a web-based application owned and operated by Google Inc. that provides a 
free social networking service to users world-wide. Google+ users can create personal 
profiles, exchange messages with other users, join groups of similar interests, and share 
photos, videos, and an expanding array of other media. User profiles may include 
photos, videos, lists of interests, and contact information, including personal information. 
Google+ users can communicate with each other and with groups through public and 
private messages and chat features, including text messaging and video “hangouts.” 
Video “hangouts” can be broadcast using an online live streaming video application 
operated by a third party to facilitate communication and increase government 
transparency. 


The Department of the Interior established an official presence on Google+ to 
disseminate information to the public and enhance communication, to foster and share 
ideas, facilitate feedback on Department programs, promote public participation and 
collaboration, and increase government transparency. The primary account holder is the 
Department of the Interior Office of Communications, which will be responsible for 
ensuring information posted on the Department's official Google+ website by 
Department officials or employees is appropriate and approved for public dissemination. 
DOI bureaus and offices are responsible for ensuring information posted on their official 
Google+ page is appropriate and approved for public dissemination in accordance with 
applicable laws, regulations, and DOI privacy, security and social media policies. 


1.2 Is the agency’s use of the third-party website or application consistent with all 
applicable laws, regulations, and policies? What are the legal authorities for the 
use of the third-party website or application? 


Presidential Memorandum on Transparency and Open Government, January 21, 2009; 
OMB M-10-06, Open Government Directive, December 8, 2009; OMB M-10-23, 
Guidance for Agency Use of Third-Party Websites and Applications, June 25, 2010; the 
Paperwork Reduction Act, 44 U.S.C. 3501; the Clinger-Cohen Act of 1996, 40 U.S.C. 
1401; OMB Circular A-130; 210 Departmental Manual 18; and 110 Departmental Manual 
5. 
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SECTION 2: Any PII that is Likely to Become Available to the Agency Through the 
Use of the Third-Party Website or Application 


2.1 


2.2 


2.3 


What PII will be made available to the agency? 


If a Google+ user or member of the public interacts with DOI on its official Google+ 
page, posts comments, joins a group, exchanges messages or participates in one of the 
various services, requests information or submits feedback from their use of Google+, 
their name, username, email address, content of messages, blogs or postings, including 
photos, images, videos, audio, and other personal information provided by the user may 
become available to DOI. Digital images or videos may also contain personally 
identifiable information, geographical indicators, or other metadata. 


The use of Google+ is governed by Google's universal Terms of Service and Privacy 
Policy. Pursuant to the Terms of Service and Privacy Policy, information provided by 
users of a Google service, including PII, may be combined or integrated into other 
Google services. As a result, PII provided by a user in another Google service may 
become available to DOI through Google+. Google users can set their own privacy 
settings and exhibit control over some of the personal information tied to the user's 
Google account and whom that information is shared with. 


The Department does not collect or share PII from the use of Google+, except in unusual 
circumstances where there is evidence of criminal activity, a threat to the government, a 
threat to the public, or when an employee violates DOI policy and is referred for 
disciplinary action. This information may include name, username, email address, 
photos, images, videos, audio, content of messages, blogs or postings, or other personal 
information provided by the user, and may be used to notify the appropriate agency 
officials or law enforcement organizations. 


What are the sources of the PII? 


Sources of information are users of Google services world-wide, including members of 
the general public and Federal employees, and may include other government agencies 
and private organizations. 


Will the PII be collected and maintained by the agency? 


DO! does not actively collect, maintain or disseminate PII from users of Google+; 
however, PII does become available through interactions with Google+ users. 

If a Google+ user or member of the public interacts with DOI on its official Google+ 
Page, posts comments, joins a group, exchanges messages or participates in one of the 
various services, requests information or submits feedback from their use of Google+, 
their name, username, email address, content of messages, blogs or postings, including 
photos, images, videos, audio, and other personal information provided by the user may 
become available to DOI. Digital images or videos may also contain personally 
identifiable information, geographical indicators, or other metadata. The Department 
does not collect or share PII from the use of Google+, except in unusual circumstances 
where there is evidence of criminal activity, a threat to the government, a threat to the 
public, or when an employee violates DOI policy and is referred for disciplinary action. 





Google+ 
Adapted Privacy Impact Assessment 
February 8, 2012 





2.4 


This information may include name, username, email address, photos, images, videos, 
audio, content of messages, blogs or postings, or other personal information provided by 
the user, and may be used to notify the appropriate agency officials or law enforcement 
organizations. 


Any DOI bureau or office that uses Google+ in a way that creates a system of records 
must complete a separate PIA for the specific use and collection of information, and 
must maintain the records in accordance with DOI-08, Social Networks system of 
records notice. DOI Privacy Act system of records notices may be viewed at 


http://www.doi.gov/ocio/privacy/DO!_notices.htm. 


Do the agency’s activities trigger the Paperwork Reduction Act (PRA) and, if so, 
how will the agency comply with the statute? 


No, DOI is not using Google+ to survey the public or in any manner that would trigger 
the requirements of the Paperwork Reduction Act. 


SECTION 3: The Agency’s Intended or Expected Use of the PII 


3.1 


3.2 


Generally, how will the agency use the PII described in Section 2.0? 


The Department of the Interior uses Google+ to disseminate information to the public 
and enhance communication, to foster and share ideas, facilitate feedback on 
Department programs, promote public participation and collaboration, and increase 
government transparency. Google+ user interactions with DOI may include name, 
username, email address, photos, images, videos, audio, content of messages or 
postings, or other personal information provided by the user. This information may be 
used to communicate with users or provide requested information. Also, there may be 
unusual cases where user interactions indicate evidence of criminal activity or a threat to 
the government, a threat to the public, or employee violation of DOI policy. This 
information may include name, username, email address, photos, images, videos, audio, 
content of messages, blogs or postings, or other personal information provided by the 
user, and may be used to notify the appropriate agency officials or law enforcement 
organizations. 


Provide specific examples of the types of uses to which PII may be subject. 


If a user requests information or submits feedback from their use of Google+, their 
username, email address, image or other user provided personal information may 
become available and used to communicate with the individual user or provide additional 
information on DOI programs or mission. Also, there may be unusual cases where user 
interactions indicate evidence of criminal activity, a threat to the government or the 
public, or an employee violation of DOI policy. This information may include username, 
email address, images, videos, audio, content of messages or postings, and other user 
provided personal information, and may be used to notify the appropriate agency 
officials or law enforcement organizations. 
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SECTION 4: Sharing or Disclosure of PII 


41 


4.2 


With what entities or persons inside or outside the agency will the PII be shared, 
and for what purpose will the PII be disclosed? 


Google+ is a third party social networking web application used by millions of individuals 
and organizations world-wide, including Federal, Tribal, State and local agencies who 
may have access to the data posted in Google+. DOI does not collect PII or share PII 
with these other agencies and is not responsible for how they may access or use 
Google+ data. However, there may be unusual cases where user interactions indicate 
evidence of criminal activity, a threat to the government, a threat to the public, or an 
employee violates DOI policy and is referred for disciplinary action. This information 
may include name, username, email address, photos, images, videos, audio, content of 
messages, blogs or postings, or other personal information provided by the user, and 
may be used to notify the appropriate agency officials or law enforcement organizations. 


What safeguards will be in place to prevent uses beyond those authorized under 
law and described in this PIA? 


Official mission related information posted on Google+ by DOI is reviewed and approved 
for public dissemination prior to posting so any privacy risks for the unauthorized 
disclosure of personal data by the Department is mitigated. However, except for official 
postings DOI does not control the content or privacy policy on Google+. There could 
potentially be millions of Google+ users who have access to information posted through 
Google applications, including the general public, Federal employees, private 
organizations, and Federal, State, Tribal and local agencies. 


Google is responsible for protecting its users’ privacy and the security of the data in the 
application. Google+ users are subject to Google's Privacy Policy and Terms of Service, 
and can control access to their own PII, generally via privacy settings, as well as user 
discretion regarding the information provided. 


SECTION 5: Maintenance and Retention of PII 


5.1 


How will the agency maintain the PII, and for how long? 


Retention periods vary as records are maintained in accordance with the applicable 
records schedule for each specific type of record maintained by the Department. 
Records published through Google+ represent public informational releases by the 
Department, and must be assessed on a case-by-case basis depending on the 
individual/entity releasing the information and the purpose of the release. There is no 
single records schedule that covers all informational releases to the public at this time. 


Comments and input from the public must be assessed by whether they contribute to 
decisions or actions made by the government. In such cases where input from the public 
serves a supporting role, the comments must be preserved as supporting documentation 
for the decision made. Approved methods for disposition of records include shredding, 


5 





Google+ 
Adapted Privacy Impact Assessment 
February 8, 2012 





5.2 


burning, tearing, and degaussing in accordance with National Archives and Records 
Administration guidelines and 384 Departmental Manual 1. 


Was the retention period established to minimize privacy risk? 


Retention periods may vary depending on agency requirements and the subject of the 
records for the DOI bureau or office maintaining the records. In cases where data 
serves to support agency business, it must be filed with the pertinent records they 
support and follow the corresponding disposition instructions. Comments used as 
supporting documentation will utilize the disposition instructions of the records they are 
filed with. 


SECTION 6: How the Agency will Secure PII 


6.1 


6.2 


Will privacy and security officials coordinate to develop methods of securing PII? 


Yes, Privacy and security officials work with the Office of Communications to develop 
methods for protecting individual privacy and securing PII that becomes available to 
DOI. 


How will the agency secure PII? Describe how the agency will limit access to PII, 
and what security controls are in place to protect the PII. 


DOI does not collect, maintain or disseminate PII from Google+ users, except in unusual 
cases where user interactions indicate evidence of criminal activity, a threat to the 
government, a threat to the public, or an employee violation of DOI policy. This 
information may include name, username, email address, photos, images, videos, audio, 
content of messages, blogs or postings, or other personal information provided by the 
user, and may be used to notify the appropriate agency officials or law enforcement 
organizations. In these cases PII is secured in accordance with DOI Privacy Act 
regulations 43 CFR 2.51 and applicable DOI privacy and security policies. Access to the 
DOI network is restricted to authorized users with password authentication controls, the 
server is located in secured facilities behind restrictive firewalls, and access to 
databases and files is controlled by the system administrator and restricted to authorized 
personnel based on official need to know. Other security controls include continuously 
monitoring threats, rapid response to incidents, and mandatory employee security and 
privacy training. 


SECTION 7: Identification and Mitigation of Other Privacy Risks 


z1 


What other privacy risks exist, and how will the agency mitigate those risks? 


The official information posted by DOI has been reviewed and approved for public 
dissemination so any privacy risk of unauthorized disclosure of personal data by the 
Department is mitigated. 
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7.2 


DOI does not have any control over personal information posted by individual Google+ 
users, including members of general public and Federal employees. DOI systems do 
not share data with the Google+ application. 


Google is a private third party that is independently operated and controls access to user 
data within its systems. Google+ users control access to their own PII, generally via 
system settings. DOI has the same access as any other user dependent on individual 
user personal information disclosures and has no control over user content posted in 
Google+, except for official DOI postings. DOI may edit or remove postings by users 
that are deemed inappropriate or inconsistent with DOI's message or mission. However, 
due to the fact that Google+ is owned and operated by a third party, DOI cannot prevent 
or ensure that users do not disclose PII on DOI’s Google+ site. 


Does the agency provide appropriate notice to individuals informing them of 
privacy risks associated with the use of third-party website or application? 


DOl's Privacy Policy informs the public of how DOI handles personally identifiable 
information that becomes available through interaction on the DOI official website. The 
Privacy Policy also informs the public that DOI has no control over access restrictions or 
privacy procedures on third party websites, and that individuals are subject to third party 
social media website privacy and security policies. DOI's linking policy informs the 
public that they are subject to third party privacy policies when they leave a DOI official 
website to link to third party social media web sites. 


The Department of the Interior has also posted a Privacy Notice on its official Google+ 
page which informs users that Google+ is a non-government third party application. It 
also informs users of how DOI handles personally identifiable information that becomes 
available through user interaction and directs Google+ users to the DOI Privacy Policy 
for information handling practices. 


SECTION 8: Creation or Modification of a System of Records 


8.1 


8.2 


Will the agency’s activities create or modify a “system of records” under the 
Privacy Act of 1974? 


No. DOI does not collect, maintain or disseminate PII from its use of Google+. Any DOI 
bureau or office that creates a system of records from use of Google+ will complete a 
separate PIA for that specific use and collection of information, and must maintain the 
records in accordance with DOI-08, Social Networks system of records notice, which 
may be viewed at http:/Awww.doi.gov/ocio/privacy/DOI_notices.htm. 





Provide the name and identifier for the Privacy Act system of records. 


DOI does not actively collect, maintain or disseminate PII obtained from the use of 
Google+. Any DOI bureau or office that creates a system of records from use of 
Google+ will complete a separate PIA for that specific use and collection of information, 
and must maintain the records in accordance with DOI-08, Social Networks system of 
records notice which may be viewed at http://www.doi.gov/ocio/privacy/DO!_notices.htm. 





